We are trying to start using MFA for our Universal environment and configured a user with login verification "Password and TOTP token”.
When we are on our LAN, the login into the Universal GUI is working as expected and after login on the main login-screen the user is automatically forwarded to https://{base_url}/indicium/account/ui/totp/login
When at an external location the Universal GUI is working without TOTP, but when trying to login with a user with TOTP configured we get an "An unknown error occured” when he should be forwarded to the totp-redirect location.
In the indicium log there is no error mentioned.
So what can be the issue in here ? Maybe on our firewall/WAF ? IIS ? Or something else ?
Best answer by Nathan
Hi @C. Lousberg,
The internal success of your TOTP configuration versus the external "unknown error" strongly indicates a perimeter network issue, rather than a problem within Indicium itself, which is supported by the clean server logs. Most commonly, this is caused by a restrictive rule on your firewall or Web Application Firewall (WAF) that is intercepting or blocking the required traffic (specifically the redirect or one of the subsequent API calls) necessary for the TOTP challenge to complete successfully from an outside connection.
To diagnose this maybe try using your browser's developer tools to watch the network tab during an external login attempt; identifying the precise request that fails with a non-200 status code will usually reveal exactly what the WAF or external security layer is preventing from passing through.
Let me know if this reveals any additional information to narrow down the issue
The internal success of your TOTP configuration versus the external "unknown error" strongly indicates a perimeter network issue, rather than a problem within Indicium itself, which is supported by the clean server logs. Most commonly, this is caused by a restrictive rule on your firewall or Web Application Firewall (WAF) that is intercepting or blocking the required traffic (specifically the redirect or one of the subsequent API calls) necessary for the TOTP challenge to complete successfully from an outside connection.
To diagnose this maybe try using your browser's developer tools to watch the network tab during an external login attempt; identifying the precise request that fails with a non-200 status code will usually reveal exactly what the WAF or external security layer is preventing from passing through.
Let me know if this reveals any additional information to narrow down the issue
It is likely this is indeed the case, as you state you are not having any issues in your own LAN. However, there are some scenario’s where Indicium itself also returns a 403 Forbidden status code.
Some of those scenario’s involve:
User lockout: too many failed access attempts
User not allowed: user is not allowed to sign in due to unmet requirements
These do not sound logical to me, because the auth works in your LAN.
Can you validate the headers that come back in the situation that it works and in the one that it doesn’t work (on the /account/api/login call)?
I think it might have to do something with the “X-2FA-State” header. I suspect that this header is returned correctly when working on your LAN and it does not come back when going through the WAF.
